Genpact boosts security management with SIEM tool

Back in 2004, Genpact was still a captive BPO for GE. Genpact’s VP & Global Information
Security Leader Raja Vijay Kumar Adapa remembers how his company’s security framework had matured
to a point where cogent analysis was required. With many GE subsidiaries outsourcing business to
Genpact on a large scale, security was also becoming a top priority.

Genpact had acquired a network intrusion detection system
(NIDS) around that time, and Kumar was still grappling with the problem of aggregating and
analyzing logs/alerts from the NIDS. To augment the existing security arsenal, Kumar and his team
decided to invest in a security information and event management (SIEM) solution, and there has
been no looking back since then.

Genpact’s requirements

NIDS devices were new to the market at the time, and Satish Jagu, Genpact’s senior manager for
corporate information security, explains that the challenge was dealing with the volume of alerts
that these devices generated. The NIDS would inundate the console with alerts, says Jagu, making
manual real-time monitoring and identification of issues almost impossible.

More SIEM tips from Genpact

Though implemented, the NIDS was not bringing much benefit, given the manual process, says
Kumar. The system was being used reactively, after occurrence of an incident. There was thus a need
for an automated system that could perform real-time monitoring and correlation, all on a single
console. The requirement was for an agent-less SIEM system, which would avoid conflicts with
existing applications/services and avoid production downtime, configuration changes and review
cycles.

Selecting SIEM

Genpact chose netForensics’ SIEM tool, citing device support and local presence as important
selection criteria. Jagu remembers that there was direct interaction with the developers right
from the outset, giving Genpact an edge on developing integration for legacy applications and
devices from the GE days.

Kumar explains that the SIEM tool today has several modules, covering server logs, network
equipment logs and NIDS logs. As Genpact had Unix and Windows servers, server log support was
considered important. The SIEM tool from netForensics supported NIDS and network logs and the
vendor agreed to develop the required server modules based on Genpact’s requirements.

Implementing SIEM

Genpact had a plethora of legacy devices and applications, support for which was needed to be
built from the ground up in many cases. The SIEM tool was expected to be deployed
on a centralized setup, which required checking the bandwidth availability and other
dependencies across the network.

The scope of implementation was limited to begin with, in order to keep initial investment at a
minimum, says Kumar. The SIEM tool was initially used with a few critical devices such as servers,
essential network equipment and NIDS. After
streamlining, the scope was expanded across the network, as the security team gained confidence
and experience.

Network components were brought on board one by one, integrated, monitored and profiled. Jagu
explains that this process is still followed whenever a new device enters the network. The SIEM
consists of a server that acts as an agent for all devices with only minor configuration changes
required in the devices to point the logs to the SIEM tool.

The vendor’s technical team under netForensics’ technical director carried out the initial
setup, after which Genpact’s security team took over for the integration and expansion phase. The
entire implementation took close to two years back then, says Jagu, since the vendor team had to
take problems back to the developers to put enhancements in place.

Over time the product has standardized and is now managed completely by Genpact, with standard
support from netForensics. The SIEM tool is now an organization-wide standard and is being
rolled-out in Genpact’s global locations as well. The SIEM is managed by six people out of
Genpact’s SOC in Hyderabad, India, which was developed parallel to the SIEM project.

While most support is on-call or remote, major upgrades require assistance, says Jagu. He cites
the example of setting up a DR site for the SIEM at Gurgaon, which required the vendor’s
expertise.

Building maturity and notable milestones

According to Kumar, the primary challenges involved suppressing false-positives and training
of personnel. In the initial adoption stages a high level of expertise was required, until the
system got streamlined and configured appropriately. For this, on-site training was requested from
the vendor. Such training is now conducted every two years and also for every major product
upgrade.

The implementation underwent a major upgrade recently with the move to Oracle 11i when support
for versions 9 and 10 ceased. New technologies like VoIP also had to be
factored into the scheme of things.

Benefits

Kumar says that with SIEM, Genpact has gained visibility into its security posture and
corrective action is usually taken before business can be impacted. The intelligence from the SIEM
is used to enhance and strengthen the security framework and a proactive mechanism exists to
reliably forecast and monitor violations to Genpact’s norms and security policies.

After SIEM, the business has not suffered any downtime caused by network-based attacks. Jagu
feels that from compliance and customer assurance standpoints, the tool has paid for itself several
times over, and is now even showcased to customers as a strategic security tool.

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.